Fedora Looks At Tightening Its Crypto Policies Next Year

Written by Michael Larabel in Fedora on 30 April 2022 at 06:09 AM EDT. 5 Comments
Fedora Linux is looking at tightening up its cryptographic policies with next year's Fedora 38/39 releases but for Fedora 37 later this year they will likely begin warning users around the planned changes.

The latest change proposal for Fedora 37 this autumn notes, "Cryptographic policies will be tightened in Fedora 38-39, SHA-1 signatures will no longer be trusted by default. Fedora 37 specifically doesn't come with any change of defaults, and this Fedora Change is an advance warning filed for extra visibility. Test your setup with FUTURE today and file bugs so you won't get bit by Fedora 38-39...The flagship change this time will be distrusting SHA-1 signatures on the cryptographic library level, affecting more than just TLS. OpenSSL will start blocking signature creation and verification by default, with the fallout anticipated to be wide enough for us to roll out the change across multiple cycles with multiple forewarnings. In Fedora 36, 37 and 38 released distrusting SHA-1 signatures will be opt-in. In Fedora 38 rawhide and Fedora 39 distrusting SHA-1 signatures will happen by default."

The upcoming crypto policy changes most notably include distrusting SHA-1 signatures. Due to SHA-1 signatures still being out there and used, the plan with Fedora 37 is to warn users/administrators when encountering such signatures. The "future" policy will require SHA-256 hashes or better for signatures, all HDMAC with SHA-256 or better for MACs, at least 256-bit keys for ciphers, and other tightening in the name of ensuring more robust security.

More details on these planned security changes and the warnings that could appear in Fedora 37 can be found via the Fedora Wiki.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week